RSA Signature Forgery

Description

Philip Mackenzie and Marius Schilder of Google informed us of Daniel Bleichenbacher's
recent presentation of a common implementation error in RSA signature verification,
a failure to account for extra data in the signature. For signatures with a small
exponent such as 3 it is possible for an attacker to calculate a value for this extra data to make an altered message appear to be correctly signed, allowing the signature to be forged.
Mozilla's Network Security Services (NSS) library was vulnerable to this flaw.

Because the set of root Certificate Authorities that ship with Mozilla clients
contain some with an exponent of 3 it was possible to make up certificates,
such as SSL/TLS and email certificates, that were not detected as invalid.
This raised the possibility of the sort of Man-in-the-Middle attacks
SSL/TLS was invented to prevent.

We thank Philip Mackenzie and Marius Schilder for bringing
this result to our attention and working with us to ensure the NSS library was
safe from variations on this basic attack.